The UCISA Networking Group’s conference BYOD: Responding to the Challenge looked at new developments in an area that has actually been an important part of Higher Education for at least fifteen years. Student residences have offered network sockets since the 1990s and staff have been using family PCs for out of hours work for at least as long. This has always created two challenges – supporting users on an apparently infinite range of hardware and software, and ensuring that user-owned devices do not create an unacceptable risk to users and information. More recently the growth in the number of devices per user has challenged wireless network provision (Loughborough University recently exceeded 8000 simultaneously connected wireless devices), but here it seems that new designs, standards and technologies are available to help.
On support and managing risks the best approaches seem to depend on engagement with device owners rather than technology. Since it is impractical to offer the same level of support for all devices and all applications, service users need to be involved in setting priorities. Here it is worth looking both for quick wins and applications where ‘BYOD-friendliness’ will have a high value to users and the organisation. Creating self-supporting communities of users is particularly helpful – IT services can facilitate this through on-line groups and face-to-face surgeries, then concentrate efforts on guiding users to the right approaches, rather than trying to provided detailed instructions for everything.
Working with device owners also seems to be critical to keeping information secure. BYOD could represent a risk to both the owner’s information and that of the organisation so there should be a shared interest in security measures such as good passwords, screen locks when devices are idle, encrypted communications and storage. The ability to remotely wipe a lost device can protect both owner and organisation, but there needs to be agreement on when and how it will be triggered (Mobile Application Management software may in future allow wiping of specific applications and their data). Sharing a device requires both the owner and the organisation to accept limits on how they will behave: organisations that insist on excessive monitoring and control represent a threat to device owners and family members who may share the device, just as owners who behave unsafely with information represent a threat to organisations and themselves. If the mutual benefits of convenience and efficiency are not sufficient to make these limits acceptable then BYOD is probably not the right solution.
An approach used by commercial organisations is to group services based on the technologies and behaviours required to protect them: access to calendars or room booking systems may only need encrypted communications (to protect passwords) and the ability to disable access if the device is lost; access to corporate applications may require additional authentication, filtering and the ability to remotely wipe stored information. Access can then be granted or denied based on the capabilities of the device and its owner and the importance of that individual having access to that application. The best approaches protect both owner and organisation, for example agreeing to keep personal and business information separate allows both parties to keep reasonable control of their information. Getting these benefits right will require discussions with owners on how they use their devices, how BYOD might change that and the supporting advice and services they will need. Pilot studies with volunteers seem most likely to produce effective approaches. BYOD will not be appropriate for all applications: if particular information or services require more intrusive protection than can safely be applied on a personal device that is likely to be shared with family members, then it’s in both parties interest to do that on a separate, organisation-owned device.
Some references:
- ENISA on managing BYOD risks
- Information Commissioner on BYOD and personal data
- Intel’s approach to BYOD available from www.intel.com/IT
- Cisco’s approach to BYOD available from http://cisco.com/go/ciscoit
- JISCLegal BYOD policy template for Further Education